Matthew_Doherty@datawatch.com
2004-Feb-13 14:22 UTC
Hello, I am not in the list. im a Long time user of Shorewall and have one problem
Been a long time fan of shorewall. Thank You for a wonderful program! Everything was working great for these past 3 years, Up until now I have a strange problem. All my DROP rules are not working and shorewall says my config is OK and it IS running. My setup is (behind a NAT Router) RedHat 7.3 Webmin v 1.130 (using the shorewall module) Shorewall 1.3.14 I use 2 network interfaces. zone ''net'' and zone ''firewall'' The firewall IS DNS, Web, Mail, FTP, Samba I never mess with any of my original configs except just the rules. Now and then I just add a subnet to block and restart shorewall or refresh config. Yesturday I added a few rules and restarted shorewall using ''service shorewall restart'' command. Usually I check its status and it will display it has caught and dropped the IP segments that are listed in my rules to DROP. Now nothing is being blocked, shorewall is running, states my config is ok. I vi''d into my rules file to take a look for any mistakes and cant find the reason why. Here is a short clip of my rules file that included the IP''s that are not being blocked anymore. I hope I made an error and its not some bug in the program. DROP net:204.225.0.0/16 $FW all - - DROP net:65.125.54.171 $FW all - - DROP net:69.0.0.0/8 $FW all - - DROP net:64.124.0.0/16 $FW all - - DROP net:208.185.0.0/16 $FW all - - DROP net:64.119.0.0/16 $FW all - - DROP net:209.216.0.0/16 $FW all - - DROP net:64.253.0.0/16 $FW all - - DROP net:64.191.0.0/16 $FW all - - DROP net:208.184.0.0/16 $FW all - - DROP net:64.95.0.0/16 $FW all - - REJECT net:65.57.0.0/16 $FW all - - REJECT net:65.0.0.0/8 $FW all - - As you can see the 65.0.0.0 subnet I have tried 3 different things to block it. The 65.0.0.0 subnet still gets through! If anything this rule: "REJECT net:65.0.0.0/8 " should override these 2 rules : ''DROP net:65.125.54.171'' and ''REJECT net:65.57.0.0/16'' Nothing is being blocked at this moment and shorewall status is running and ''Shorewall config check'' states its Good
Tom Eastep
2004-Feb-13 16:01 UTC
Re: Hello, I am not in the list. im a Long time user of Shorewall and have one problem
On Friday 13 February 2004 06:22 am, Matthew_Doherty@datawatch.com wrote:> Been a long time fan of shorewall. Thank You for a wonderful program! > Everything was working great for these past 3 years, Up until now I have a > strange problem. > All my DROP rules are not working and shorewall says my config is OK and > it IS running.What output does "shorewall show shorewall" produce? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Feb-13 17:48 UTC
Re: Hello, I am not in the list. im a Long time user of Shorewall and have one problem
On Friday 13 February 2004 06:22 am, Matthew_Doherty@datawatch.com wrote:> Been a long time fan of shorewall. Thank You for a wonderful program! > Everything was working great for these past 3 years, Up until now I have a > strange problem. > All my DROP rules are not working and shorewall says my config is OK and > it IS running.To finish this thread, the problem was that Matthew didn''t realize that Shorewall rules are evaluated in the order in which they appear in the rules file and that the first match determines the final outcome. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net